[fpc-pascal] Processing passwords etc.

[Jonas Maebe]

On 11 Apr 2014, at 10:26, Michael Van Canneyt wrote:

> OTOH, I think people are hugely exaggerating the problem, considering it was introduced relatively recently and that I got my security update before it hit the newspapers.

The exploit code was also on github before news about the bug hit the newspapers. There is even some evidence it may have been exploited for at least 3 months already, maybe longer (because unless you used some special intrusion detection system rules, it left no traces at all in the log files, so there's only very little data to go on).

Also, the fact that you updated your server so quickly, doesn't mean that everyone did. Our university's mail servers were only patched yesterday morning (more than 24 hours after the story broke), because they needed time to prepare the patching (don't ask, I don't know the details). I bet tons of credentials and private data has been accessed over the past days all over the world.

> That is of course not to say that it shouldn't be fixed and people shouldn't bother.
> But the way it is presented is more about scaring people than anything else. Hysterics...

I very strongly disagree. All certificates and login data used with vulnerable services over the past year or so should be considered compromised. It will probably take months before all affected certificates are replaced (if that ever happens for most of them), and many of the replaced and hence potentially compromised certificates will probably never be revoked. The result is a huge increase in chances for man-in-the-middle attacks, not to mention all the compromised login data and private information (emails, bank statements, ...).


Jonas